Responsible AI

AI Usage & Data Governance

How AIReadiness365 uses automation responsibly, protects submitted information, and keeps people accountable for material decisions.

Effective
April 2, 2026
Last updated
July 11, 2026
Responsible entity
SturdyCloud IT Ltd.
Working public draft. This page is based on SturdyCloud IT Ltd.’s policy framework and should receive legal review before final publication.

Purpose and scope

This policy explains how AIReadiness365 and SturdyCloud IT Ltd. approach responsible AI, automated scoring, data handling, vendor selection, human oversight, and accessibility.

It applies to the public readiness funnel, preparation materials, result routing, assessment review, and any AI-assisted operational workflow used to support those activities.

Core principles

  • Human oversight: people remain accountable for material recommendations, invitations, and business decisions.
  • Transparency: visitors are told when a result is automated or directional.
  • Data minimisation: collect and process only what is reasonably needed.
  • Security: apply access, transport, logging, and vendor controls appropriate to risk.
  • Fairness: avoid uses that create unjustified discriminatory or harmful outcomes.
  • Accessibility: target WCAG 2.2 AA for user-facing experiences.

How the readiness funnel uses automation

The funnel may total multiple-choice answers, normalise a score, identify weaker readiness dimensions, assign a public result category, trigger guide delivery, and reveal an appropriate follow-up path.

Automation is used to organise responses and provide a consistent first step. It does not replace a detailed assessment or human professional judgment.

Risk classification

Low risk

Guide delivery, administrative routing, formatting, basic summaries, and educational content with human-approved rules.

Medium risk

Lead qualification, workflow recommendations, response summaries, and scheduling suggestions that could influence a business decision. These require testing, transparency, and appropriate human review.

High risk or prohibited without separate review

Fully automated legal, financial, employment, medical, eligibility, compliance, or other material decisions; sensitive profiling; or use of regulated data without documented safeguards and authority.

Data handling rules

  • Users should submit business-level readiness information, not confidential credentials or sensitive records.
  • Quiz responses are processed only for the disclosed funnel, security, improvement, or legal purposes.
  • Access should be limited to authorised people and providers.
  • Retention should match the purpose and applicable obligations.
  • Client or quiz data should not be used to train public models unless clearly disclosed and expressly authorised.
  • Material outputs should be traceable to the relevant response or workflow where practical.

Model and vendor governance

Before using an AI or automation provider, we consider security, privacy, reliability, retention, model-training terms, data location, access controls, incident history, and operational fit. Canadian processing is preferred where feasible, but some providers may process data elsewhere.

Providers receive only information reasonably necessary for their role. Vendor limitations may require changes to a use case or additional user notice.

Validation and human review

Scoring and routing should be tested across all result bands, including edge cases and incomplete submissions. Changes to questions, weights, consent wording, or result logic should be documented and reviewed.

AI-generated summaries or recommendations must be treated as drafts. A qualified person should review any material recommendation before it is relied upon or shared as professional guidance.

Communications governance

AI may help draft, personalise, route, or schedule communications, but it must not bypass consent, unsubscribe, sender-identification, or suppression rules. Transactional guide delivery should remain separate from optional marketing where practical.

Incidents and accountability

Potential incidents include data exposure, incorrect routing, harmful or misleading output, unauthorised messaging, inaccessible interfaces, and automation failures. When identified, we aim to assess, contain, correct, document, and learn from the issue.

Questions or concerns may be sent to contact@sturdycloud.ca.